Bitwise Quantum Min-Entropy Sampling and 
New Lower Bounds for Random Access Codes 



Jiirg Wullschleger 
DIRO, Universite de Montreal, Quebec, Canada 
McGill University, Quebec, Canada 

July 18, 2011 



Abstract 

Min-entropy sampling gives a bound on the min-entropy of a randomly chosen 
subset of a string, given a bound on the min-entropy of the whole string. Konig 
and Renner showed a min-entropy sampling theorem that holds relative to quantum 
knowledge. Their result achieves the optimal rate, but it can only be applied if the 
bits are sampled in block, and only gives weak bounds for non-smooth min-entropy. 

We give two new quantum min-entropy sampling theorems that do not have the 
above weaknesses. The first theorem shows that the result by Konig and Renner also 
applies to bitwise sampling, and the second theorem gives a strong bound for the 
non-smooth min-entropy. 

Our results imply strong lower bounds for /c-out-of-n random access codes. While 
previous results by Ben-Aroya, Regev, and de Wolf showed that the decoding probabil- 
ity is exponentially small in k if the storage rate is smaller than 0.7, our results imply 
that this holds for any storage rate strictly smaller than 1, which is optimal. 

1 Introduction 

Let us assume that two players share a long string x G {0, l} n , over which an adversary 
has only partial knowledge. They would like to get a key, over which the adversary has 
almost no knowledge. Since the string is long, using a 2-universal hash function or, more 
generally, a normal strong extractor would be inefficient and hence impractical. Vadhan 
showed in [Vad04] that the two players can instead first randomly sample a relatively small 
substring x'G{0,l} fc ofx, and then apply an extractor to x'. This works because with high 
probability, the string x' will have almost - • t bits of min-entropy, if the min-entropy of x 
is at least t. Konig and Renner showed in [KR07] that this holds works in the more general 
case where the adversary has quantum information about x. Again, with high probability 
the string x' will have almost - ■ t bits of quantum min-entropy. 
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Related to these results are lower bounds for random access codes. This is an encoding 
of n classical bits into m < n qubits, such that from the encoding, a randomly chosen subset 
of size k can be guessed with probability at least p. The first lower bound was given for 
the case where k = 1 by Ambainis, Nayak, Ta-Shma and Vazirani in |ANT SV99j. It was 
later improved by Nayak in |Nay99| to m > (1 — H(p))n, where H(-) is the binary entropy 
function. For the general case where k > 1, a lower bound was presented by Ben-Aroya, 
Regev, and de Wolf in |BARdW08] . They showed that for any rj > 2 In 2 there exists a 
constant C v such that 

It implies that if m < n/{2 In 2) ~ 0.7n, then p < 2~ n<yk \ In the same work they also showed 
lower bounds for a variant of random access codes called XOR-random access codes, where 
the player is asked to guess the XOR of a random subset of size k. De and Vidick presented 
in |DV10] lower bounds for functional access codes, which is a generalization of XOR-random 
access codes where the player is asked to guess the output of a function with binary output 
chosen from a bigger set. 

The result in |Vad04] implies a classical lower bound for fc-out-of-n random access codes. 
In principle, this would also be possible in the quantum setting, as the min-entropy is defined 
as minus the logarithm of the guess probability. Unfortunately, the results by Konig and 
Renner are not general enough to do that, because they require the sampling to be done in 
blocks. 

[BARdW08j showed that lower bounds for fc-out-of-n random access codes imply lower 
bounds for the one-way communication complexity of k instances of the disjointness problem. 



1.1 Contribution 

In this work we give two new results for quantum min-entropy sampling. 

First, we show in Theorem [3] in Section [3] that the bounds given in Corollary 6.19 and 
Lemma 7.2 in [ KR07| also apply to the case where the sample is chosen bitwise, instead of 
(recursively) in blocks. This result simplifies some protocols^ as it eliminates an artificial 
extra step where the bits have to be grouped in blocks. 

Second, building on previous results given in |BARdW08] and |DV10j . in SectionHJwe will 
give a new quantum sampling theorem (Theorem[5]). The proof of Theorem[5]is much simpler 
than the min-entropy sampling results in [KR07], and give stronger bounds for non-smooth 
min-entropy. It implies the following corollary. 

Corollary 1. Let a cq-state pxq be given, where X £ {0, l} n . Let T be a random subset of 
[n] of size k. If for a constant c £ [0, 1] we have H m i n (X \ Q) p > cn, then 

-f2min(A T | TQ) p > k - 5 . 

o 

1 For example, it allows that the simpler and more intuitive Protocol 2' in KWW09 can be proved secure, 
instead of the more complicated Protocol 2. 
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Corollary [T] immediately implies the following bound for random access codes. 

Corollary 2. Let e > be a constant. For any k-out-of-n random access code where the 
storage is bounded by m < (1 — e)n, the success probability is at most 2~ n ( k \ 

As the results in [BARdW08] , Corollary [2] generalizes the bound given by Nayak to the 
case where k > 1. But while the results in [BARdW08] require that m < 0.7n, our results 
imply that the success probability decreases exponentially in k even if m is close to n. 

Together with Lemma 8 in [BARdW08j, Corollary |5] implies a strong lower bound for the 
one-way communication complexity of k independent instances of the disjointness problem. 

2 Preliminaries 

The binary entropy function is defined as H(x) := — xlogx — (1 — x) log(l — x) for x £ [0, 1], 
where we use the convention logO = 0. For y £ [0, 1], let H~ l {i)) be the value x £ [0, ~] such 
that H(x) = y. The Hamming distance d# between two strings is defined as the number of 
bits where the two strings disagree. We use the notion [n] := {1, . . . , n}. The substring of 
x £ {0, l} n defined by the set s C [n] is denoted by x s . 

Let pxq be a cq-state of the form pxq = YuxP*\ x )( x \ ® Pq- The conditional min-entropy 
is defined as 

H m i n (X | Q) p := — logPg UeS s(A | Q) p , 

where 

P g uess(A | Q) p := max^P x (x) tr{E x p x ) . 

The maximum is taken over all POVMs S = {E x } x& x on Q. P guess (X | Q) p is therefore the 
probability to correctly guess X by measuring system Q. The equivalence of this definition 
of iJ m in with the definition used in |KR07] has been shown in |KRS09] in Theorem 1. The 
statistical distance D(p, 0) between two states p and is defined as 

D(p, <p) = max | tr(Eip) - tr(Ei<t>) \ , 

where we maximize over all POVMs £ = {E x } x£ { iy. D(p,<f)) is therefore the maximal 
probability to distinguish p and by a measurement. It can be shown that D(p,<p) = 

Lemma 1. Let pxq be a cq-state where X is binary and let tx be the fully mixed state. 
Then D(p X Q, Tx® Pq) < £ implies that P gucss (X \ Q) p < | + e. 

Proof. Let us assume that there exists a POVM £ on Q that can guess X with a probability 
bigger than h + e. We define a POVM £' on X <g> Q in the following way: We measure Q 
using £ and XOR the output with X. We have ti{E[p X E) < \ — £ and ti{E[{jx <8> Pq)) = \- 
Hence D(pxQ, t~x ® Pq) > e, which contradicts the assumption. □ 

Lemma 2 (Chernoff/Hoeffding). Let Px ...x„ = Pj£ be a product distribution with Xi £ [0, 1]. 
Let X := i J2"=o x h a nd p = E[X\ . Then, for any e > 0, Pr [X < /i - e] < e~ 2ne2 . 
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3 Bitwise Sampling from Blockwise Sampling 



In this section we show that the min-entropy sampling results from [KR07J, which require 
blockwise sampling, also imply the same bounds for uniform bitwise sampling. 

The following theorem is the statement of Corollary 6.19 in |KR07] for uniform sampling. 
Here H^ in * s the smooth min-entropy, and Ho the Renyi 0-entropy. The definitions of these 
entropies and their properties can be found in Section 5 in [KROTj or Chapter 3 in |Rcn05j. 

Theorem 1 ( |KR07j ). Let p XQ be a cq-state where X = (X u ...,X n ) G X n . Let S C [n] 

be chosen uniformly at random among all subsets of size r. Assume that k = ^q^r^n — 0.15. 
Then 

H Lin( x s I S, Q) H min (X | Q) i „i / 

Mx7) £ S^T) *-*>** l l«< 

where e = 2 • 2^ nlog ^ + 3e" r?2/8 

The statement says that with high probability, the min-entropy rate of a random subset is 
almost as big as the min-entropy rate of the whole string. To achieve the required condition 
n < 0.15 • r log \X\ (for example if X is a bit string), X might have to be grouped into blocks 
first. But as pointed out in [BARdW08] . even then the statement cannot be applied if we 
want to sample a subset that is smaller than the square-root of the total length of the bit 
string. 

To overcome this problem, [KR07j proposed a recursive application of Theorem [TJ The 
following theorem is Lemma 7.2 in [KR07j . See Section 7 in [K R07j for the exact definition 
of the sampling algorithm ReSamp(X, /, r, S). 

Theorem 2 ( |KR07j ). Let pxQ be a cq-state where X is a n-bit string. Let n, f and r be such 
that r^ 3 / 4 ^ > r 4 . Let S be a string of uniform random bits, and let Z = ReSamp(X, /, r, S). 
Then Z is a n^ 3 ^ -bit substring of X , with 

H^ in (Z\S,Q) H miQ (X I Q) _ logr 
H (Z) ~ H (X) 1 rV4 ' 

where e = 5/ • 2~^/ 8 . 

Since bitwise sampling is generally better than blockwise sampling, it seems that the 
results of both Theorem [1] and [2] should also hold if the subset is sampled bitwise uniformly. 
The following theorem shows that this is indeed the case. 

Theorem 3. The bound of Theorem U\ and d also apply if the sample is chosen bitwise 
uniformly. 

Proof. Let k,n e N, were k < n. Let Pxq be a cq-state where X G {0, l} n . Let S C [n] 
be chosen uniformly at random from all subset of size k and let T C [n] be a random 
subset of size k chosen according to a given distribution P T . Let II a permutation chosen 
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uniformly at random, but such that it maps all elements in 5 into T. Strong subadditivity 
(Theorem 3.2.12 in [ Ren0 5]) implies 



HLm( x s I S,Q) > H £ min (X s | 5, n, Q) 

= H £ min (U(X) T \T,U,Q). 

Note that from (5,11) it is possible to calculate (T, II), and vice- versa. Furthermore, since 
II is chosen independent of Pxq, we have 

H^(U(X) | n,Q) = H^ n (X I n,Q) = H^ n {X I Q) . 

Since 5 was chosen uniformly and independent of T and Pxq, n is independent of T and Pxq- 
Setting Q' := (Q, II), we can apply Theorem [T] or [2] to the state pu<x)Q', an d get a bound on 
H e riin (Jl(X) T | T, n, Q), which then directly implies the same bound for H ^ in (Xg \ S, Q). □ 

4 A Sampling Theorem from Quantum Bit Extractors 

In this section we give a new min-entropy sampling theorem using a completely different 
approach than [KR07] . Our proof has two steps. First, we show a bound on the guessing 
probability of the XOR of a randomly chosen substring of X using results from jDVlOj. 
which are based on strong quantum extractors. Second, we will show that this implies a 
bound on the guessing probability of a randomly chosen substring of X. To show this we 
use a similar approach as the proof of Theorem 2 in |BARdW08| . 

A function ext : {0, l} n x {0, l} d — >■ {0, l} m is a (£,e)-strong extractor against quantum 
adversaries, if for all states pxq that are classical on X with if min (X | Q) p > t and for a 
uniform seed R, we have D(p ext ( X ,R)RQ, W ® Pr® Pq) < £ ? where tu is the fully mixed state. 
A strong classical extractor is the same, but with a trivial system Q. If m = 1, we call it a 
bit-extractor. Konig and Terhal showed in |KT08j that any classical bit-extractor is also a 
quantum bit-extractor. 

Theorem 4 (Theorem III. 1 in [KT08J). Any (£, e)-strong bit-extractor is a (£+log 1/e, 3^)- 
strong bit-extractor against quantum adversaries. 

One way to construct a strong bit-extractor is to use a (e, 5, L)- approximately list-decodable 
code, which is a code C : {0, l} n — > {0, l} m where for every d G {0, l} m there exist L strings 
ci, • • • , cl G {0, 1}™, such that for any string x G {0, 1}™ satisfying (iff(c', C(x)) < (| — e)m, 
there exists an i G {1, . . . , L} such that dn(c', q) < 5m. From a code C : {0, l} n — > {0, l} 2 ', 
we can build a bit-extractor ext : {0, l} n x {0,1}' — > {0,1} as ext(x,y) := C(x) y , where 
C(x) y is the yth position of the codeword C(x). 

Lemma 3 (Claim 3.7 in |DV10j ). Let 5 G [0, |]. An extractor build from a (e,5,L)- 
approximately list-decodable code C : {0, l} n — > {0, l} 2 ' is a (£,e)-strong classical bit- 
extractor for £ > H(S)n + logL + log2/£\ 
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The (n, fc)-XOR-code over strings of length n is the code where the string x gets encoded 
into a string of size m where each bit is the XOR of a subset of x of size k. 

Lemma 4 (Lemma 42 in [IJK06j . adapted in [DV10] . Lemma 3.11). For e > 2k 2 /2 n , the 
{n^k) -XOR- code is a (e, rhif, 4/ e 2 )- approximately list-decodable code. 

Combining Lemmas [3] and H] with Theorem m we get the following lemma. 

Lemma 5. Let e > 2k 2 /2 n and k > 2 In-. The extractor build from the (n, k)-XOR-code 
implies a (£, 3 \fe) -strong bit-extractor against quantum adversaries for 

£ > #(Vln-V + 41og- +3 . 

V k e) e 

Proof. Using Lemma [3] and HI the (n, fc)-XOR-code implies a (£, e)-strong classical bit- 
extractor for 

/ 1 2\ 4 2 /l 2\ 1 

£ > H -rln- n + log — + log- = H r ln- n + 3 log - + 3 . 

\k e/ e l e \k e/ e 

The statement follows from Theorem |H □ 

From Lemma [5] follows that that if a string X can only be guessed from Q with probability 
at most 2~ e , i.e., if min (X | Q) > £, then the XOR of a random subset of size k can be guessed 
with probability at most 1/2 + 3\/e. 

The following lemma gives a bound on the probability to guess a whole substring, given 
bounds on the probability to guess the XOR of substrings. It has been proven as a part of 
Theorem 2 in (B ARdW08] . For clarity, we include the proof here. 

Lemma 6 (part of Theorem 2 in |BAR dW08j). Let pxq be a cq-state where X e {0, l} n and 

let po, . . . ,pk > be upper bounds on the probability to guess the XOR of a random subset of 
X of size j given Q and the subset. Then the probability to guess a random subset of X of 
size k from Q and the subset is at most 

Proof. Let Pt be the uniform distribution among all subsets of [n] of size k, and let t be 
distributed according to Pp. Let Ps\T=t be the distribution that chooses a random subset of 
t. This defines the joint distribution Pst, as well as the distributions Ps and P T \ S=S . Let 

for j G {0, . . . , k}. Pj(j) is the probability that the subset s has size j. We have Ps(s) = 
Pj{j)Ps\j=j( s ), where Ps\j=j{s) is the uniform distribution over the subsets of [n] of size 

j- 



6 



For any t, let S t be a POVM on Q that guesses X for the subset t, for t chosen according 
to Pt- For any t, this defines a distribution Pw\T=t over error-strings u> G {0, l} k , where 
w = k means that the guess was correct. For s C [k], let 



Q S \T=t(s) : = 7^ E P W\T=t{w)Xs{w) , 

u>e{o,i} fc 

where Xs( x ) '■= (~ ^) xs , i- e -> h is the parity of the bits of w indexed by s. Qs\r=t is the 
Fourier-transform of Pw\T=t, so we also have 

Pw\T=t(w) = Y Qs\T=t(s)Xs(w) . 

sC[k] 

Using all subsets of t as the domain of s, and since x s (0) = 1 for all s we can write 

P W \T=t(0) = Qs\T=t(s)Xs(0) = E ^ E P W\T=t(w) X s(w) . 

set set 7;ipin.n fc 



Let p be the maximal probability to guess a subset t distributed according to Pt- Note 
that for s C t, we have Ps|T=t(s) = 2 _fc . We get 

p = ^P T (t)P H /| r=t (0) 

= E E ^ E ^Vi^*Hx.h 

= E *M*) E P S\T=t(s) Pw\T=t(w) X s(w) 
t sCt w 

= ^2 Prs(t, s) Y Pw\T=t(w)Xs(w) 

t,s w 

= E P 'W E P S\J=M E P T\S=s(t) Pw\T=t(w) X s(w) . 
j s t w 

Given a set s of size j, let us apply the following algorithm to guess the XOR of the subset 
s of X. We first sample t according to Pr\s=s(t), then apply the POVM £ t to Q, and then 
output the XOR of the bits in s of the outcome. The probability that this algorithm guesses 
correctly the XOR of a randomly chosen subset of size j is 

s t w 

Since this must be upper bounded by pj, it follows that 

E P ^=j E P T\S=s(t) E P W\T=t(w)Xs(w) < 2 Pj - 1 . 
s t w 



So we get 



p<E p ^)(2Pi-i) = Ei(*)(^- 1 



3=0 

□ 

We can now use Lemmas [5] and [6] to proof our main result. 

Theorem 5. Let a cq-state pxQ be given, where X G {0, l} n . Let T be a random subset of 
[n] of size k. If log - < k/12 — 5 and 

H min (X \Q) P >H (j log — )n + 8 log — + 3 , 
\k p J p 

then H min (X T | TQ) p > log ~. 

Proof. From log - < fc/12 — 5 follows that 121og(17/p) < k and hence also 171n(17/p) < k. 
Since k < n and 5k/ 12 > log(17A;) — 5, it follows also that 

l0g I ~ 12 ~ 5 " \ ~ log ( 17A; ) - \ ~ lo g( 17A 

and hence p 2 > 288 • k 2 /2 n . For j G {0, . . . , n}, let pj be the guess probability of the XOR 
for random subsets of size j. From Lemma [6] follows that 

Pgucss(X T I TQ) p <^E(-) Cfci - X ) 

i=o 

j=0 VJ/ j=fc/4+l VJ/ 

< -r > + max (2p,-/ - 1) . 



3=0 

We have 

fc/4 



I)?C) = Pr [ JiS */ 4 



i=o 

where J = J^ ig [ fc ] and Jj are independent and uniform on {0, 1}. From Lemma [2] follows 
that 

Pr[J < fc/4] < exp(-fc/8) < p/2 , 
since > 17 In — > 8 In -. Let e := n 2 /144. Since k > 17 In— , we have 

— p p c I — p ' 

1 8 17 4 288 _ 4 2 

2 k p k p 2 k e ' 



8 



and hence 



# mi n(X | Q) P > H (i In ~)n + 4 log i + 3 . 
From p 2 > 288 • £; 2 /2™ follows that £ > 2£; 2 /2™ > 2(A;/4) 2 /2 n . Lemma [5] implies that 



max (2p.ji — 1) < 6-v/e = p/2 . 

i'G[fc/4+l,fc] V J 



The statement follows from the definition of H m i n . □ 
Proof of CorollaryUi Let p := 2~ H 1 ( c / 2 )fc/6-5^ w j 1 j c j 1 implies 



tf|5, og iT|<£. 

p 



From H- 1 (c/2) < \ follows that 



, 1 H~ 1 (c2) 1 k 

log - = —!—k - 5 < 4 

p 6 - 12 



Since n > k and | > x > we have 



, 1 H- 1 (c 2) 1 . . n c/2 n cn 

log - = ^^fc - 5 < H-\c 2) 5 < - 5< 5 

p 6 ~ v / 7 6 ~26 ~24 



which implies 



1 2 I C7Z 

81og— + 3 = 81og- + 81og(12) + 3< — - 40 + 32 + 3< — 
p p 3 2 



Hence, 

m > H I ...^ , ^ 

k p J p 

The statement follows from Theorem [5j □ 



cn > H \ — log — I n + 8 log h 3 



5 Lower Bounds for Random Access Codes 

Corollary [T] directly implies a lower bound for random access codes: if we choose the string 
X e {0, 1}™ uniformly and the quantum system Q has at most m < (1 — e)n qubits, then 
by Proposition 2' in [KT08], we have H min (X \ Q) > en. Corollary [2] follows. 

Theorem [1] or [2] in combination with Theorem [3] can be used to give a bound for random 
acces codes, since H^ in (X | Q) > I implies P gue ss(^ I Q) > + e. But even though 
the bounds given in Theorem [T] and [2] are almost tight for the smooth min-entropy, they 
only give weak bounds on the min-entropy, since the smoothness error e is relatively big: in 
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Theorem [T] (using X = {0, l} fe ), we sample from n' := n/b block a subset of r := k/b blocks. 
Since £ < 1 and k = \ = yV < 0.15, we have b > tttW. Therefore 

' — rb kb — ' — 0.15k 

e > 3e~ r?2/8 = 3e" fc « 2/(8fe) > ^ e -0-^k 2 e/(Sn) > 2 -o(k 2 /n) _ 
In Theorems [2} it is required that k > r 4 , which implies that 

e = 5/ ■ > 5/ • 2~^ 8 = 2-°(^ . 

Therefore, Theorem [T] and [2] in combination with Theorem [3] can only provide us with weak 
bounds for random access codes. 

6 Open Problems 

Both our sampling results only apply to the case where the sample is chosen uniformly. It 
would be interesting to know if they can be generalized to other sampling strategies. 
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